In message <87skprnyml(_dot_)fsf(_at_)mid(_dot_)deneb(_dot_)enyo(_dot_)de>,
Florian Weimer writes:
* Mark Andrews:
The lack of a macro capability also means that it's basically
impossible to secure DNSBL zones with DNSSEC when they contain larger
chunks of address space; see the example in section 2.1.
How so?
The expectation is that error messages generated from TXT records
contain the actual IP addresses which triggered the DNSBL lookups. As
a result, if you list a /16 (say), you need publish 65,536 different
TXT records.
Currently, these records are synthesized using a macro capability in
the DNS server.
Which is independent of DNSSEC. I ask again how this a
DNSSEC problem.
I didn't say it was a DNSSEC problem. I just wanted to note it's
impossible to secure some existing DNSBL zones using DNSSEC without
sacrificing some of the functionality which is mentioned in section
2.1 in the draft.
I still don't believe your claim.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf